Tag Archives: VoIP

32 people was apprehended in Romania, but the VoIP hacking continues from this country. Low wages, highly educated people and not too many jobs often forces people to start hacking, combined with low risk of being caught.

This was from IP 188.24.194.155 caught in a SIP honeypot belonging to Honeynet Project.

People has gotten tired of the VoIP scannings. Sometimes they manage to abuse the PBX or just fill up the logs with all the attempts. So Mr. Oquendo started on a list of IP addresses and networks that should be blocked.

The VoIP Abuse Project is aimed at minimizing abuse for networks that have publicly accessible PBX’s. As a security engineer at a managed service provider, one of our services is VoIP. Throughout the course of the day, I got tired of seeing VoIP based brute force attempts that I decided to out companies who sit around and choose to do nothing about the attacks coming from their networks. As a courtesy I often take the time out of my work day to write constant emails to abuse and security desks which go nowhere.

Personally I think companies should have a white list, just enabling the IPs that you really need to allow traffic from, but that is not easy if you are a VoIP provider with clients all over the world.

The most abuse nowadays are open SIP servers, just as the old open mail servers which spammers relayed spam through. So we will use the phrase open sip relay about the scanning going on nowadays. Nothing new, just another protocol (but with much more money in than spam when you find one… )

Open SIP Relay by my definition is: a SIP server open to send SIP messages from whoever to whoever (even channel it through the PSTN network)

Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.

What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)

And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.

Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:

the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.

the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)

A VoIP hacking that actually reached the public, was just 10 000,- USD being frauded for. I would say they were lucky. This is just top of the iceberg, I hear about so many more not being reported because the firm or institution does not want to “have beeing hacked”. The latest news about it in Norwegian or translated to English

The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found. A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.